Ransomware Spammers Turn To Ads For Cash

A major Trojan-horse malware family has returned with a new type of payload that seeks to use affected systems as part of an advertising scam.

Nemucod, the most active single Trojan horse so far this year, was previously used in several large spam campaigns to deploy ransomware variants including Locky and TeslaCrypt, according to IT security firm ESET.

Ad-clicking backdoor

The Trojan at one point in late March accounted for 24 percent of all of ESET’s malware detections worldwide, and in some countries makes up more than half of all malicious files detected so far this year, ESET said.

Trojans are so called because they use a seemingly harmless file to deliver a malicious payload.

Nemucod has now returned and is delivering a backdoor called Kovter. Backdoors install a tool that allows attackers to remotely control a system without the user’s knowledge.

“The variant analyzed by ESET researchers has been enhanced by ad-clicking capability delivered via an embedded browser,” ESET said in an advisory. “The Trojan can activate as many as 30 separate threads, each visiting websites and clicking on ads.”

The backdoor monitors system performance and when the computer is idle it allocates more processor resources to its ad-clicking tools.

Profit motive

Like previous Nemucod variants, the malware arrives as a ZIP email attachment pretending to be an invoice and containing a malicious executable JavaScript file.

ESET recommended users set their systems to display filename extensions so that executables do not appear to be documents.

Email scanning tools can also help block such malware, ESET said.

The rapid spread of ransomware infections has been driven by the promise of quick profits, according to researchers.

Advertising revenues, besides forming another draw for malware developers, also underlie the spread of nuisance software, in which users are tricked into installing unwanted programs through bundling or misleading advertisements, according to recent research by Google.

A recent study by BT and KPMG found that computer criminals now often operate as well-organised, profit-motivated businesses, with human resources departments and large research and development budgets.

The study warned that such criminal organisations are engaged in an “arms race” with mainstream groups.

Are you a security pro? Try our quiz!